4 Tactics to Enhance Your Business’s Email Security

Karen Scarfone is the principal consultant for Scarfone Cybersecurity. She previously worked as a senior computer scientist for the National Institute of Standards and Technology.

For decades, email has been a conduit for cyberattacks — and the reason why couldn’t be more obvious: “Every company has at least one employee who will click on anything. Part of what the security challenge involves is protecting people from themselves.”

As Smith pointed out at Microsoft Envision in the fall, attackers also now rely heavily on targeted phishing emails and other individualized threats that are much harder to identify than the crude bulk messages of the past.

Employees who once used business-owned laptops and desktops to check their email now rely on their own mobile devices, and this makes email protection even more challenging.

Mobility greatly expands the opportunities attackers have to compromise user credentials and devices, breach email accounts and pose as users.

To address the challenges, businesses must deploy measures to markedly strengthen email security. Here are some tactics to prevent email-borne attacks from reaching employees and to mitigate attacks that penetrate a business’s defenses.

1. Adopt Stronger Encryption and Web-Based Email

Users often send and receive email through sessions that their email client software establishes with email servers. By default, many email clients don’t provide protection for these sessions.

Not only email messages and attachments, but also usernames and passwords, are transmitted without encryption to protect their confiden­tiality and integrity. Anyone monitoring such communications can gain unauthorized access to these email accounts and all associated messages.

With both options, strong passwords and multifactor authentication are also needed to validate the identity of anyone establishing an email session.

2. Move Your Business to Modern Anti-Malware Solutions

Anti-malware technologies, such as anti-virus, anti-spam and anti-phishing tools, have been used for decades to scan email messages and block or quarantine email containing malware and other malicious content. Newer anti-malware relies less on signatures of known malicious content and instead uses threat intelligence, reputation services and other near-real-time sources to pinpoint the location of threats — domains and IP and email addresses, for example. With highly targeted attacks now commonplace, it is vital to employ only anti-malware that uses the latest threat information.

Ideally, businesses should deploy modern anti-malware technologies as part of their infrastructure to monitor all email servers and services — and also on each client device to catch email-borne threats passing through outside email services.

3. Make Email Client Health Checks Mandatory

Businesses should monitor the health of all email client devices, whether company-owned or BYOD. Automated health checks can flag problematic email accounts and identify emerging security problems — such as end-user systems that use weak security settings or lack OS and email client software patches — and hasten corrective action by the IT team.

4. Block Exfiltration with Data Loss Prevention Tools

Cyberthieves commonly use email as a preferred mechanism for exfiltration — the unauthorized transfer of sensitive information outside the business or organization.

Malicious insiders often use their email accounts to forward sensitive data files to other email addresses, and attackers use compromised accounts similarly. Data loss prevention technologies can detect and stop these threats.

DLP is a critically important weapon in the email security arsenal. Whenever possible, DLP tools should be used to monitor email servers and any client devices with access to sensitive data that might be an enticing target.

How Application Whitelisting Can Boost Cybersecurity

Application whitelisting technologies allow only authorized software to ­execute. Many desktop and laptop operating systems have built-in application whitelisting that, when properly configured and maintained, can prevent malware and other unauthorized executables from running on devices.

Whitelisting provides a last barrier of defense: If malware gets through other security controls and installs on the device, it won’t be able to execute and fulfill its mission.

Smartphones and tablets often lack built-in application whitelisting but have roughly equivalent features. For example, a smartphone can be set to execute software only from an authorized app store, and all apps in that store can be screened for malware. Thus, if an attacker transfers malware to the smartphone via email, the malware won’t execute because it isn’t from the associated app store.